Google's "Using OAuth 2.0 for Client-side Application" article at https://developers.google.com/accounts/docs/OAuth2UserAgent states that the client MUST validate all access tokens to verify that it ...

I have implemented CSRF Guard into my web application. It's working fine for GET requests (with AJAX and without AJAX) however for POST request token is not getting injected into the request that's ...

I'm building a CSRF prevention method in our application framework. I use, inter alia, the OWASP site.
We have chosen for the "Double Submit Cookies" prevention meassure, described at the OWASP CSRF ...

There's this "change password" ASP.NET form that has both event validation and viewstate enabled. There are no specific anti-csrf tokens. From I understanding, in order to execute a successful CSRF ...

CSRF tokens are used a lot.
The server sets a token in cookie for that domain that either (1) include in the HTML form or (2) Javascript can read and include in the request. The server verifies the ...

I'm performing an authorized vulnerability analysis on a custom web service and have discovered a CSRF vulnerability.
Due to there not being form tokens coupled with the service not checking for the ...

Is it possible to secure a Single Page Application (SPA) served from a CDN that communicates with a REST API, assuming the following:
The front end communicates with a backend REST API using a token ...

Is it a good practice to recreate the CSRF Token once its been used (basically create a new taken after a post request is sent)? Or it an unnecessary measure to take? My current system is recreating ...

What is the vulnerability level if the anti-csrf token is not sent with every post request? (If the vulnerability levels were high, medium and low). I understand for critical functions like login etc ...

I store the csrf token in a form and compare it against what I have in cache.
Sometimes I store the csrf token in cookie and compare it against what I have in cache.
I generate new csrf tokens every ...

I'm building a small site which I would like to integrate with LinkedIn for authentication. LinkedIn says that redirect_uri's can be either http:// or https:// (not having to pay for a certificate is ...

The django docs tell us that our AJAX scripts should acquire the token from the designated cookie as in get_cookie('_csrf_token'). Can I rather print it to the HTML source, so that it's available to ...

Personally I want to call the element _DO_NOT_give_this_security_thingy_to_anybody_ever. An example scenario is some clever social engineers want the user to run a malicious "add a friend" and find ...

I am making a web application in Django which generates and includes CSRF tokens for sessions (a Django session can be anonymous or a registered user). Should I keep CSRF protection to the controllers ...

I have a web interface to a hardware that is primarily used to reboot the hardware. Reboot can be done only by authenticated user.The web interface is written in CGI/shellscript. It does not use any ...

Github pages is now using github.io domain instead of github.com I've read github explanation but it's still difficult for me to understand the root cause. Why would a domain become a security issue?
...

A website based on Apache Struts uses central authentication service (cas) for login. I'd like to know if additional csrf protection needs to be provided with Struts in case cas doesn't provide that.
...

Is the Double Submit Cookies mechanism vulnerable anything other than XSS and sub-domain attacks?
All CSRF protection mechanisms are vulnerable to XSS, so that's nothing new. I'm just wondering if I ...